What is Click Spamming & Click Injection? Do They Affect Me?


There is no doubt that digital ad fraud is growing rapidly, with an estimated $23 billion going to fraudulent practices in 2020. And those fraudulent practices just keep getting more sophisticated, with mobile ad fraud and video ad fraud among the most high-risk channels.

One clever form of mobile ad fraud that has been growing in recent years is attribution manipulation or fake installs. This can take the form of two different practices, click spamming and click injection.

Although similar, both click spam and click injection are uniquely different. But both present a threat to anyone advertising on mobile apps. So, how do they work?

What is click spam?

This form of ad fraud works by generating a whole ton of fake clicks or impressions while an app is running – also known as click flooding. To work, it first needs the device user to land on a mobile webpage operated by the fraudster, or to download an app that is infected with their malware.

The app or website will have an automated process coded into it, known as hitbots or click bots. This automated bot will let the fraudster perform one or more of these actions:

  • Automatically clicking on ads in the background while the app is running, most likely invisible ads (click flooding)
  • Generating ‘impressions as clicks’ which make it look as though a view is an actual engagement with an ad
  • Sending clicks from the device to random vendors to collect a payout on ads

As far as the device user is concerned, they are using an app such as a game or utility app which might have one or two visible ads. Meanwhile, there might be more ads hidden or layered in the app.

The hitbots in the app, or mobile website, will then be able to click on ads in the background usually without the user being aware. In terms of volume, there could be hundreds or thousands of clicks in the background per day or even video views; hence the terms click spam or click flooding.

An example of this in the real world is the DrainerBot malware, which was embedded in several different games and utility apps on the Google Play Store in 2018.

DrainerBot got around the Play Protect checks by installing it as an update after the initial download. It then ran in the background, click spamming away on ads and watching invisible videos completely unknown to the device users.

For advertisers, they paid out for those views, while the user just found that their phone battery was drained extra quickly, hence the name DrainerBot.

How does click spamming affect advertisers?

The clever thing about click spamming is that it uses an active app that is probably seeing some real human activity. However, the malware then generates a whole ton of additional clicks or views on ads that probably aren’t even visible, known as organics poaching.

It can also work by generating fake installs on apps, which we’ll look at in more detail under the click injection heading.

This organic poaching also affects the data of the amount of clicks on ads or installs. With all those spam clicks artificially inflating the traffic, it can make an advertising platform look more effective than it really is.

What is click injection?

Although very similar to click spamming, click injection is slightly more sophisticated. Instead of clicking away like crazy, it uses a ‘just in time’ method of organics poaching to collect a payout on app installs.

This is usually done by ‘injecting’ a click at the point of download to make it look like the download was referred by the fraudster’s app or website.

Fraudsters then get paid for referring to that download, even though it was a genuine ‘organic’ download. Cha-ching.

A famous example of this is Facebook’s suing of two developers, LionMobi and JediMobi. Both of these developers are accused of using click injection on their apps to collect payouts on fake installs, or organics poaching.

The case is ongoing, but it highlights the threat and is thought to be just the tip of the iceberg when it comes to mobile ad attribution manipulation.

How does click injection affect advertisers?

Of course, you don’t want to be paying out for a referred download when it was, in fact, organic (or worse still, it wasn’t even actually downloaded).

Like click spamming, it results in an unnecessary payout to the fraudster and skewing of the true traffic data.

Who is behind mobile ad fraud?

You might think that it’s obvious that dodgy software companies are behind this boom in mobile ad fraud, and to some extent that is right.

But attributing blame is harder than it might seem. Often, mobile apps are built using software development kits, or SDKs. These are usually distributed by one company and can be used to build thousands of apps over time.

But often buried in these SDKs is a slice of errant code that is used to generate the malware activity. In the case of the DrainerBot mentioned previously, the company, TapCore, which provided the SDK, denied all knowledge of its existence.

And those developers accused by Facebook have also claimed to be totally innocent. OK, to be fair, they would, but if they are, it does beg the question, ‘where does this malware code come from?’.

The answer is as yet unknown, and successful prosecutions against click fraud and ad fraud are still relatively rare.

How to protect against click spam and click injection

As an advertiser, attribution manipulation is a tricky form of fraud to defend against, and costs brands $1.4 billion, according to a study by the University of Baltimore and CHEQ. But there can be some tell-tale signs that you’ve been a victim of organics poaching or fake installs on your apps and mobile ads.

The most obvious is the volume of traffic. If you’re advertising on apps and mobile websites, keep an eye out for surges in traffic and suspiciously high clicks. This is normally the giveaway that there has been some sort of fraud activity on your paid ads.

CHEQ monitors and protects against the activity generated by click spoofing and click injection. CHEQ For PPC is a click fraud solution that analyses over a thousand user and network parameters, in real time, to determine if traffic is fraudulent. If you need to be assured that you’re getting the best protection, CHEQ offers an award winning and comprehensive ad fraud protection package.


Want to protect your sites and ads? Click here to Request a Demo.

Latest Posts

Ready to secure your
Go-to-Market efforts?

Get started